CVE-2026-11401
Privilege Escalation in AWS Advanced Go Wrapper for Aurora PostgreSQL
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: AMZN
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| amazon | aws_advanced_go_wrapper | 2026-05-26 |
| amazon | aws_advanced_go_wrapper | to 2026-05-26 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-426 | The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-11401 is a privilege escalation vulnerability in the AWS Advanced Go Wrapper for Amazon Aurora PostgreSQL. It arises from an untrusted search path issue in the GlobalDatabasePlugin, which allows a remote authenticated user with low privileges to escalate their privileges to those of another Amazon RDS user, including the highly privileged rds_superuser role.
This is achieved by the attacker creating a specially crafted function that executes when the targeted user connects to the database cluster through the affected wrapper, thereby running with the elevated permissions.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows a low-privilege authenticated user to escalate their privileges to those of other users, including the rds_superuser role, which has extensive control over the database.
An attacker exploiting this vulnerability could gain unauthorized access to sensitive data, modify or delete data, change database configurations, or perform other administrative actions that compromise the confidentiality, integrity, and availability of the database.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if your system is running an affected version of the AWS Advanced Go Wrapper (version 2026-04-06 or earlier) used with Amazon Aurora PostgreSQL.
Additionally, monitoring for the creation of specially crafted functions by low-privilege authenticated users that execute with elevated permissions could indicate exploitation attempts.
A practical approach is to check the version of the AWS Advanced Go Wrapper in use and audit database logs for unusual function creation or privilege escalation activities.
Specific commands are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the AWS Advanced Go Wrapper to the release version 2026-05-26 or later, where this vulnerability has been resolved.
As a temporary workaround before upgrading, it is recommended to remove the public schema from the search path to reduce the risk of exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows a low-privilege authenticated user to escalate privileges to those of another Amazon RDS user, including the rds_superuser role. This privilege escalation could potentially lead to unauthorized access to sensitive data or administrative functions within the affected Amazon Aurora PostgreSQL environment.
Such unauthorized access and privilege escalation may impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive personal and health information. If exploited, this vulnerability could result in data breaches or unauthorized data manipulation, thereby violating these regulatory requirements.
To mitigate this risk and maintain compliance, it is critical to upgrade to the fixed AWS Advanced Go Wrapper release 2026-05-26 or apply the recommended workaround of removing the public schema from the search path.